on the security of election audits with low entropy randomness · evt/wote 2009 on the security of...
TRANSCRIPT
On the Security of Election Audits with
Low Entropy Randomness
Eric Rescorla
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1
Overview
• Secure auditing requires random sampling
– The units to be audited must be verifiably unpredictable
– Simple physical methods (dice, coins, etc.) are expensive
• “Stretching” approaches
– Randomness tables [CWD06]
– Cryptographic pseudorandom number generators
(CSPRNGs) [CHF08]
• These techniques must be seeded with verifiably random values
• Small (but natural) seeds give the attacker an advantage
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 2
Formalizing the Problem: The Auditing Game
Audit units
(U)
Attacked
(K)
Audited
(V)
V∩K = /0: Attacker wins
Audit units
(U)
Attacked
(K)
Audited
(V)
V∩K 6= /0: Attacker loses
• Two players: Attacker and Auditor
• U audit units (U0,U1, ...UN−1)
• Attacker selects K⊂ U to attack (|K|= k)
– Selection is made before preliminary results are posted
• Auditor selects V⊂ U to audit (|V|= v)
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 3
Auditing Game Strategy
• If the auditor’s selections are random and i.i.d then:
Pr(detection) = 1−v−1
∏i=0
(N− i− k)N− i
• No matter how the attacker chooses K
• This is the auditor’s optimal strategy
• What about intermediate cases?
– Attacker has incomplete information about V
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 4
Example: A Million Random Digits [RAN02]
• Pick a random starting group and read forward
– This process has log2(#entries) bits of entropy
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 5
Random Number Tables Bias and Attacker Advantage
• Random number tables aren’t the same as random numbers
– The attacker knows the table
– But not the starting point
• Two effects give the attacker an advantage
– Natural variation in the occurrences of each value
– Clustering of values
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 6
Natural Variation
160 180 200 220 240
0.00
00.
005
0.01
00.
015
0.02
00.
025
Number of occurrences (n)
Pro
babi
lity
• Binomially distributed counts
• Expected value = T/N
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 7
Natural Variation
160 180 200 220 240
0.00
00.
005
0.01
00.
015
0.02
00.
025
Number of occurrences (n)
Pro
babi
lity
Area=k/N
• Binomially distributed counts
• Expected value = T/N
• Attacker selects k least frequent
units
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 8
Natural Variation
160 180 200 220 240
0.00
00.
005
0.01
00.
015
0.02
00.
025
Number of occurrences (n)
Pro
babi
lity
Area=k/N
n_k • Binomially distributed counts
• Expected value = T/N
• Attacker selects k least frequent
units
• The kth least frequent unit ap-
pears nk times
nk = min{
n : cdf(n)≥ kN
}
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 9
Auditing with Natural Variation
• Total entries in table corresponding to k least frequent units†:
Tbad = Nnk
∑n=0
nϕ(n)
• This is just a standard sampling problem
– Each “good” sample removes approximately F entries:
F =T −Tbad
N− k• Probability of detection of least frequent k units:
Pr(detection) = 1−v−1
∏i=0
T − iF−Tbad
T − iF
†Semi-accurate approximation; see paper.
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 10
Clustering Effects
• We’re not really sampling the table randomly
– We read entries in sequence
– The order of the entries matters
0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1
6 7 8 9 2 3 4 5 6 7
8 9 2 3 4 5 6 7 8 9
2 3 4 5 6 7 8 9 2 3
4 5 6 7 8 9 2 3 4 5
6 7 8 9 2 3 4 5 6 7
8 9 2 3 4 5 6 7 8 9
2 3 4 5 6 7 8 9 2 3
4 5 6 7 8 9 2 3 4 5
A table constructed to minimize detection
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
0 2 3 4 5 1 6 7 8 9
A table constructed to maximize detection
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 11
Simulation Studies
• No good analytic model for clustering effect
– Though some potential avenues
• Easiest to study via simulation
– Generate a random table (using CSPRNG)
– Generate an attack set of size k
– Determine which offsets will sample at least one element of K
• Two kinds of attack sets
– Random (should have expected statistics)
– Randomly selected from least frequent 2k units†
• Results averaged over multiple tables (5–25)†This is heuristic. We don’t have a good algorithm here either.
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 12
Example
0 100 200 300 400 500 600
0.0
0.2
0.4
0.6
0.8
1.0
Number of Sampled Precincts
Pro
babi
lity
of D
etec
ting
Atta
ck
ExpectedUnder Attack
200,000 entries, 1000 precincts, 10 attacked
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 13
The Attacker’s View: Modest Advantage
• Still very likely to be detected
– In the above example: about 4x more chance of success at 99%
– Biggest gap around 80% nominal detection rate (71.4% actual)
• Probably not enough to make or break an attack
– But worth doing if you’re going to attack anyway
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 14
The Auditor’s View: Higher Work Factor
Detection Units to Audit Units to Audit Difference
Probability (projected) (under attack)† (percent)
80% 148 190 28
90% 205 270 32
95% 258 340 32
99% 368 540 47
Required audit levels: 200,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 15
General Trends
• More entries per unit decrease attacker advantage
– Larger tables
– Fewer units
• Higher attack rates decrease attacker advantage
– Need to select increasingly probable values
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 16
A Big Table
0 100 200 300 400
0.0
0.2
0.4
0.6
0.8
1.0
Number of Sampled Precincts
Pro
babi
lity
of D
etec
ting
Atta
ck
ExpectedUnder Attack
1,000,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 17
Permuted Tables
0 100 200 300 400 500 600
0.0
0.2
0.4
0.6
0.8
1.0
Number of Sampled Precincts
Pro
babi
lity
of D
etec
ting
Atta
ck
ExpectedUnder attack (permuted)Under attack (random)
200,000 entries, 1000 precincts, 10 attacked precincts
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 18
Potential Improvements
• New tables
– Bigger (107 entries?)
– Permuted rather than random
– Generated using a PRNG?
• Existing tables
– Individual addressing
– Random offsets
– Multiple starting points
– All of these need analysis
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 19
What about CSPRNGs?
• CSPRNGs have big state spaces no matter what the seed size
– Stronger than tables for the same seed entropy
– Intuition: sequences don’t overlap
• Cryptographic applications require very large seeds
– Not necessary here
– Need unpredictability, not unsearchability
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 20
Security of PRNGs by Seed Size (nominal 99% level)
● ● ●
●
●
●
●
●●
● ● ● ● ● ● ●
5 10 15
0.0
0.2
0.4
0.6
0.8
1.0
Bits of entropy
Pro
babi
lity
of D
etec
ting
Atta
ck
Probability of detection for PRNGs: 1000 precincts, 10 attacked
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 21
Summary
• Secure auditing requires verifiably unpredictable random values
• Generating them directly seems expensive
• Natural stretching approaches may not deliver their expected
security
• Not clear if randomness tables can be used safely
• PRNGs appear safe with modest-sized seeds
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 22
References
[CHF08] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. In Defense of
Pseudorandom Sample Selection. In Proceedings of the 2008 Electronic Voting
Technology Workshop, 2008. http://www.usenix.org/events/evt08/tech/full_
papers/calandrino/calandrino.pdf.
[CWD06] Arel Cordero, David Wagner, and David Dill. The role of dice in election
audits—extended abstract. IAVoSS Workshop on Trustworthy Elections 2006 (WOTE
2006), June 2006. http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf.
[RAN02] RAND Corporation. A Million Random Digits with 100,000 Normal Deviates.
American Book Publishers, 2002.
EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 23